titan-iac/services/keycloak/logs-oidc-secret-ensure-job.yaml

# services/keycloak/logs-oidc-secret-ensure-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: logs-oidc-secret-ensure-2
  namespace: sso
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 3600
  template:
    spec:
      serviceAccountName: mas-secrets-ensure
      restartPolicy: Never
      containers:
        - name: apply
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              set -euo pipefail
              apk add --no-cache curl jq kubectl openssl >/dev/null

              KC_URL="http://keycloak.sso.svc.cluster.local"
              ACCESS_TOKEN=""
              for attempt in 1 2 3 4 5; do
                TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \
                  -H 'Content-Type: application/x-www-form-urlencoded' \
                  -d "grant_type=password" \
                  -d "client_id=admin-cli" \
                  -d "username=${KEYCLOAK_ADMIN}" \
                  -d "password=${KEYCLOAK_ADMIN_PASSWORD}" || true)"
                ACCESS_TOKEN="$(echo "$TOKEN_JSON" | jq -r '.access_token' 2>/dev/null || true)"
                if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then
                  break
                fi
                echo "Keycloak token request failed (attempt ${attempt})" >&2
                sleep $((attempt * 2))
              done
              if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
                echo "Failed to fetch Keycloak admin token" >&2
                exit 1
              fi

              CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients?clientId=logs" || true)"
              CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"

              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                create_payload='{"clientId":"logs","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://logs.bstein.dev/oauth2/callback"],"webOrigins":["https://logs.bstein.dev"],"rootUrl":"https://logs.bstein.dev","baseUrl":"/"}'
                status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \
                  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                  -H 'Content-Type: application/json' \
                  -d "${create_payload}" \
                  "$KC_URL/admin/realms/atlas/clients")"
                if [ "$status" != "201" ] && [ "$status" != "204" ]; then
                  echo "Keycloak client create failed (status ${status})" >&2
                  exit 1
                fi
                CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                  "$KC_URL/admin/realms/atlas/clients?clientId=logs" || true)"
                CLIENT_ID="$(echo "$CLIENT_QUERY" | jq -r '.[0].id' 2>/dev/null || true)"
              fi

              if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                echo "Keycloak client logs not found" >&2
                exit 1
              fi

              CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \
                "$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" | jq -r '.value' 2>/dev/null || true)"
              if [ -z "$CLIENT_SECRET" ] || [ "$CLIENT_SECRET" = "null" ]; then
                echo "Keycloak client secret not found" >&2
                exit 1
              fi

              if kubectl -n logging get secret oauth2-proxy-logs-oidc >/dev/null 2>&1; then
                current_cookie="$(kubectl -n logging get secret oauth2-proxy-logs-oidc -o jsonpath='{.data.cookie_secret}' 2>/dev/null || true)"
                if [ -n "${current_cookie}" ]; then
                  decoded="$(printf '%s' "${current_cookie}" | base64 -d 2>/dev/null || true)"
                  length="$(printf '%s' "${decoded}" | wc -c | tr -d ' ')"
                  if [ "${length}" = "16" ] || [ "${length}" = "24" ] || [ "${length}" = "32" ]; then
                    exit 0
                  fi
                fi
              fi

              COOKIE_SECRET="$(openssl rand -hex 16 | tr -d '\n')"
              kubectl -n logging create secret generic oauth2-proxy-logs-oidc \
                --from-literal=client_id="logs" \
                --from-literal=client_secret="${CLIENT_SECRET}" \
                --from-literal=cookie_secret="${COOKIE_SECRET}" \
                --dry-run=client -o yaml | kubectl -n logging apply -f - >/dev/null
          env:
            - name: KEYCLOAK_ADMIN
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: username
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin
                  key: password
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`# services/keycloak/logs-oidc-secret-ensure-job.yaml`
			`apiVersion: batch/v1`
			`kind: Job`
			`metadata:`
keycloak: fix logs oauth2 cookie secret 2026-01-09 08:57:13 -03:00			`name: logs-oidc-secret-ensure-2`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`namespace: sso`
			`spec:`
			`backoffLimit: 0`
			`ttlSecondsAfterFinished: 3600`
			`template:`
			`spec:`
			`serviceAccountName: mas-secrets-ensure`
			`restartPolicy: Never`
			`containers:`
			`- name: apply`
			`image: alpine:3.20`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`set -euo pipefail`
			`apk add --no-cache curl jq kubectl openssl >/dev/null`

			`KC_URL="http://keycloak.sso.svc.cluster.local"`
			`ACCESS_TOKEN=""`
			`for attempt in 1 2 3 4 5; do`
			`TOKEN_JSON="$(curl -sS -X POST "$KC_URL/realms/master/protocol/openid-connect/token" \`
			`-H 'Content-Type: application/x-www-form-urlencoded' \`
			`-d "grant_type=password" \`
			`-d "client_id=admin-cli" \`
			`-d "username=${KEYCLOAK_ADMIN}" \`
			`-d "password=${KEYCLOAK_ADMIN_PASSWORD}" \|\| true)"`
			`ACCESS_TOKEN="$(echo "$TOKEN_JSON" \| jq -r '.access_token' 2>/dev/null \|\| true)"`
			`if [ -n "$ACCESS_TOKEN" ] && [ "$ACCESS_TOKEN" != "null" ]; then`
			`break`
			`fi`
			`echo "Keycloak token request failed (attempt ${attempt})" >&2`
			`sleep $((attempt * 2))`
			`done`
			`if [ -z "$ACCESS_TOKEN" ] \|\| [ "$ACCESS_TOKEN" = "null" ]; then`
			`echo "Failed to fetch Keycloak admin token" >&2`
			`exit 1`
			`fi`

			`CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients?clientId=logs" \|\| true)"`
			`CLIENT_ID="$(echo "$CLIENT_QUERY" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`

			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`create_payload='{"clientId":"logs","enabled":true,"protocol":"openid-connect","publicClient":false,"standardFlowEnabled":true,"implicitFlowEnabled":false,"directAccessGrantsEnabled":false,"serviceAccountsEnabled":false,"redirectUris":["https://logs.bstein.dev/oauth2/callback"],"webOrigins":["https://logs.bstein.dev"],"rootUrl":"https://logs.bstein.dev","baseUrl":"/"}'`
			`status="$(curl -sS -o /dev/null -w "%{http_code}" -X POST \`
			`-H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`-H 'Content-Type: application/json' \`
			`-d "${create_payload}" \`
			`"$KC_URL/admin/realms/atlas/clients")"`
			`if [ "$status" != "201" ] && [ "$status" != "204" ]; then`
			`echo "Keycloak client create failed (status ${status})" >&2`
			`exit 1`
			`fi`
			`CLIENT_QUERY="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients?clientId=logs" \|\| true)"`
			`CLIENT_ID="$(echo "$CLIENT_QUERY" \| jq -r '.[0].id' 2>/dev/null \|\| true)"`
			`fi`

			`if [ -z "$CLIENT_ID" ] \|\| [ "$CLIENT_ID" = "null" ]; then`
			`echo "Keycloak client logs not found" >&2`
			`exit 1`
			`fi`

			`CLIENT_SECRET="$(curl -sS -H "Authorization: Bearer ${ACCESS_TOKEN}" \`
			`"$KC_URL/admin/realms/atlas/clients/${CLIENT_ID}/client-secret" \| jq -r '.value' 2>/dev/null \|\| true)"`
			`if [ -z "$CLIENT_SECRET" ] \|\| [ "$CLIENT_SECRET" = "null" ]; then`
			`echo "Keycloak client secret not found" >&2`
			`exit 1`
			`fi`

			`if kubectl -n logging get secret oauth2-proxy-logs-oidc >/dev/null 2>&1; then`
keycloak: fix logs oauth2 cookie secret 2026-01-09 08:57:13 -03:00			`current_cookie="$(kubectl -n logging get secret oauth2-proxy-logs-oidc -o jsonpath='{.data.cookie_secret}' 2>/dev/null \|\| true)"`
			`if [ -n "${current_cookie}" ]; then`
			`decoded="$(printf '%s' "${current_cookie}" \| base64 -d 2>/dev/null \|\| true)"`
			`length="$(printf '%s' "${decoded}" \| wc -c \| tr -d ' ')"`
			`if [ "${length}" = "16" ] \|\| [ "${length}" = "24" ] \|\| [ "${length}" = "32" ]; then`
			`exit 0`
			`fi`
			`fi`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`fi`

keycloak: fix logs oauth2 cookie secret 2026-01-09 08:57:13 -03:00			`COOKIE_SECRET="$(openssl rand -hex 16 \| tr -d '\n')"`
logging: add opensearch dashboards ui 2026-01-09 08:54:07 -03:00			`kubectl -n logging create secret generic oauth2-proxy-logs-oidc \`
			`--from-literal=client_id="logs" \`
			`--from-literal=client_secret="${CLIENT_SECRET}" \`
			`--from-literal=cookie_secret="${COOKIE_SECRET}" \`
			`--dry-run=client -o yaml \| kubectl -n logging apply -f - >/dev/null`
			`env:`
			`- name: KEYCLOAK_ADMIN`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: username`
			`- name: KEYCLOAK_ADMIN_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin`
			`key: password`